Nukes Not as Secure as Thought: Report
Monday, October 5, 2015 @ 02:10 PM gHale
Nuclear facilities work in an air gapped environment so the idea of an attack disabling a plant would be impossible, right? Wrong, just ask the operators at the “air gapped” Natanz facility in Iran. Stuxnet did a job on that plant.
After that attack, it might be easy to think security measures at nuclear facilities increased to the point where operators were able to lock down the systems and keep them air tight.
Wrong, according to a new report.
“The trend to digitization, when combined with a lack of executive-level awareness of the risks involved, means that nuclear plant personnel may not realize the full extent of their cyber vulnerability and are thus inadequately prepared to deal with potential attacks,” said a Chatham House report published Monday, entitled, “Cyber Security at Civil Nuclear Facilities: Understanding the Risks.”
Air gapped nuclear facilities remain isolated from the Internet, correct? The answer to that question is no, the report’s authors found most nuclear facilities have some type of Internet connection. That means hackers can identify some components who known how to use search engines like Shodan.
The commercial benefits of internet connectivity mean nuclear facilities may now have virtual private networks and other connections installed, sometimes undocumented or forgotten by contractors and other legitimate third-party operators, the report said.
That connection, on top of the use of flash drives point to nuclear facilities showing some types of vulnerabilities, the report said. The use of flash drives was a key vector in the Stuxnet attack.
The Stuxnet attack, which ISSSource reported ended up conducted by the United States and Israel, revved up centrifuges at the Natanz, Iran, nuclear facility, while the operators were seeing everything was running safely. The resulting damage wiped out the centrifuges and set the Iranian nuclear program back for years.
Another big risk is supply chain vulnerabilities, the report said. At any point between the moment equipment ends up manufactured until the moment a supplier delivers it to the facility and installs it, equipment used at a nuclear facility can suffer a compromise. That issue is not just with the nuclear industry as companies need to eye their supply chains to ensure they receive secure products with no surprise back doors programmed in.
Software patching at these facilities often ends up placed to the side out of fear patches could break a system or lead to significant downtime, the lack of clear cyber security incident disclosure procedures and information sharing, and insufficient spending on cyber security, and you have a recipe for a difficult defense.
The report points out issues and offers recommendations to address problems, but it will take “an organizational response by the civil nuclear sector, which includes, by necessity, knowledgeable leadership at the highest levels, and dynamic contributions by management, staff and the wider community of stakeholders, including members of the security and safety communities.”
The report also includes details of several known cyber security incidents at nuclear facilities in the last two decades, including the Natanz nuclear facility and the Bushehr nuclear power plant. It came together after a series of interviews with experts from around the world, including the U.S., UK, France, Japan, Germany, Ukraine and Russia.
Chatham House’s report focused on the vulnerabilities within the UK’s nuclear facilities, the same issues affect all critical national infrastructure.
The following are some challenges the report found facing the industry:
• The infrequency of cyber security incident disclosure at nuclear facilities makes it difficult to assess the true extent of the problem and may lead nuclear industry personnel to believe there are few incidents. Limited collaboration with other industries or information-sharing means the nuclear industry tends not to learn from other industries more advanced in this field.
• A paucity of regulatory standards, as well as limited communication between cyber security companies and vendors, are also of concern.
• This suggests that the industry’s risk assessment may be inadequate; as a consequence, there is often insufficient spending on cyber security.
• Developing countries may be particularly at risk, because they have even fewer resources available to invest in cyber security.
• Nuclear plant personnel, who are operational technology engineers, and cyber security personnel, who are information technology engineers, frequently have difficulty communicating, which can lead to friction. In many cases the problem ends up compounded by the off-site location of cyber security personnel.
• Nuclear plant personnel often lack an understanding of key cyber security procedures, finding the procedures documents produced by cyber security personnel do not communicate this information in language clear to them.
• Cyber security training at nuclear facilities is often insufficient. In particular, there is a lack of integrated cyber security drills between nuclear plant personnel and cyber security personnel.
• Reactive rather than proactive approaches to cyber security contribute to the possibility that a nuclear facility might not know of a cyber attack until it is already substantially under way.
• This suggests that nuclear plants may lack preparedness for a large-scale cyber security emergency, particularly if one were to occur outside normal working hours.
• Industrial control systems are ‘insecure by design’, since cyber security measures were not designed in from the beginning.
• Standard IT solutions such as patching are difficult to implement at nuclear facilities, mainly owing to concern that patches could break a system and because of the commercial need to reduce plant downtime.
• Supply chain vulnerabilities mean equipment used at a nuclear facility risks compromise at any stage.
The cyber security threat requires an organizational response, which includes, by necessity, knowledgeable leadership at the highest levels, and dynamic contributions by management, staff and the wider community of stakeholders, including members of the security and safety communities. The nuclear sector as a whole, taking account of recommendations and guidance issued by the IAEA, should take a strategic approach that will:
• Develop a more robust ambition to match or overtake its opponents in cyberspace and thereby take the initiative, focusing its resources on critical elements of the nuclear fuel cycle.
• Fund the promotion and fostering of cyber security within the industry, aiming to encourage a sectoral-level approach, from the highest levels down to the individual.
• Establish an international cyber security risk management strategy designed to maintain momentum and agility, incorporating the necessary mechanisms for in-depth preparation to meet cyber security challenges, however these may arise, and a flexible and coordinated response.
• Develop coordinated plans of action to address the technical shortfalls identified, such as in patch management, and make the necessary investments.
• Include all stakeholders in the organizational response. This will require knowledgeable leadership at the highest levels, the free flow of information and dynamic contributions by management, staff and the wider community of stakeholders, including members of the security and safety communities.
• Promote an environment that enables the appropriate balance between regulated and self-determined actions to avoid any tendency for overall stagnation.
Click here to download the full report.